Home > News > Wanted: More Network-Security Graduates and Research

Wanted: More Network-Security Graduates and Research

From IEEE Computer
February 1, 2002

By Linda Dailey Paulson

The rash of viruses, intrusions, and other attacks on computer systems during the past two years has focused considerable attention on network security in the US.

At the same time, experts say the US is not spending enough on networksecurity research and universities are not producing enough graduates with advanced degrees in the field to conduct the necessary future research.

This situation troubles many security experts, who note that much of the US’s national infrastructure—affecting government agencies, corporations, utilities, transportation operations, the armed forces, and so on—runs on potentially vulnerable computer networks.

“We are so dependent on the cyberinfrastructure now,???said William A. Wulf, University of Virginia professor and National Academy of Engineering (NAE) president. “We can’t do financial transactions without it. Even the larger infrastructure—the power grid, gas pipelines—depends on [it].???

A lack of adequate research eventually could cause the US to face an “electronic Pearl Harbor,???in which a cyberattack cripples or damages the network running an important publicinfrastructure element and harms many people, said Terry Benzel, vice president of advanced security research at Network Associates.

Also, poor security could let hackers obtain Internet users???Social Security and credit card numbers and otherwise compromise their privacy. This lack of security could promote identity theft, fraud, and other crimes, noted Daniel A. Reed, director of the National Center for Supercomputing Applications at the University of Illinois at Urbana- Champaign, and director of the National Computational Science Alliance.

According to Timothy J. Shimeall, a senior member of the technical staff with the Software Engineering Institute’s (SEI’s) Networked Systems Survivability Program, security has become a growing concern now partly because the number of cyberattacks has increased dramatically in recent years, as Figure 1 shows. “And the vulnerabilitiesvulnerabilities being described are not trivial,???he noted.

Network threats are increasing in complexity, as demonstrated by the destructive distributed denial-of-service (DDoS) attacks on major Web sites in 2000 and dangerous worms such as last year’s CodeRed.

Malicious-code authors work with an open source model in which they freely share successive code improvements, thereby making their attacks increasingly sophisticated.

Computer-security issues were the subject of a recent hearing by the US House of Representatives???Science Committee in which panelists said the federal government must provide more funding and support to address the problem.


The NAE’s Wulf said there is a “minuscule” number of serious computersecurity researchers—perhaps 200—at US universities and companies.

The shortage apparently is caused in part by a low number of graduates with expertise in the security field and is complicated by network threats that are greater in number, complexity, and type.

“There is a need for more researchers in the field, but you can’t ramp up particularly quickly,???explained security expert and researcher Steven Bellovin, a Fellow at AT&T Labs Research. He said the few schools with computersecurity programs have relatively few faculty members in the field and thus cannot significantly increase the number of graduates they produce.

Most US network-security research occurs in the private sector and is usually related to the development of products such as antivirus software and intrusion-detection systems, said Purdue University Professor Eugene Spafford, director of the school’s Center for Education and Research in Information Assurance and Security.

As a result, critical basic securityrelated research in areas such as programming- language development has not received enough attention or funding, explained SEI’s Shimeall.

Typically, cryptography theory has been popular and has received much more attention as a research subject than other security topics, noted Columbia University computer science professor Salvatore J. Stolfo. Because of recent incidents, research has also begun focusing more on DDoS attacks and intrusion detection.

Outside of this, said Spafford, “The whole area of information security and assurance has been saddled with a sort of insurance view: You don’t need it until something goes wrong. It’s difficult to sustain an investment in.???/p>

Moreover, added Stolfo, “On balance, most of the research in academia is theoretical. Academia has done a very poor job in developing core courses and core research of a more practical nature.???/p>

Improving computer-security education could help generate better research in the field, he said. “This area needs to be elevated,???he explained. “Academia is the fuel that generates our technical population.???/p>

Perhaps schools could develop curricula in which security is at the core, he said. “Security has always been an afterthought in the way systems are designed, developed, and sold. That’s true in academics as well.???/p>

Schools have offered security courses for many years. “As a graduate student at Purdue in the late 1970s, early 1980s, I remember taking an excellent security and cryptography course from Dorothy Denning [a well-known security expert who is now a Georgetown University professor],???said the University of Illinois’s Reed. “However, there are still relatively few institutions that offer full degrees or emphases in computer security.???/p>

Spafford said he conducted an informal survey of 29 universities, primarily those designated as Centers of Excellence by the US National Security Agency (a list of designees is at http:// www.nsa.gov/isso/programs/nietp/ newspg1.htm), and found that the 24 respondents awarded PhDs to a total of only 23 students for network-security research during the past three years.


Sources cited a number of reasons why there are not enough graduates with advanced computer-security degrees and why there is insufficient security-related research in the US.


The main reason why universitybased security research has been weak, Spafford explained, is the lure of private- sector employment worldwide. “There is tremendous pull for personnel from industry,???he explained. “The tempting offers get larger and larger, and it gets difficult to resist.???/p>

“This tends to pull people out of potential faculty positions,???he said. “It also pulls [students] out before they complete their advanced degrees.???/p>

Educators say this problem creates a vicious circle, with students not enrolling in fields where there isn’t much research and little research occurring in fields where there aren’t many students.

Benzel said Network Associates tries to keep the students it hires enrolled in graduate school. “We’ll work with them and their advisors to encourage that,???she explained. Through these efforts, she said, 30 percent of her staff has PhDs, and another two employees are working on their doctorates.

Long university research cycles and slow publication rates make it difficult to conduct useful academic research in the fast-moving computer-security field, said SGI’s Shimeall.

Moreover, said Columbia University’s Stolfo, academic courses on system design and construction are often weak because they focus on theory rather than practical security fundamentals.


A problem in industry, said the University of Illinois’s Reed, is a “substantial shortage???of researchers and practitioners who have gained a broad knowledge of security. This problem is caused in part by the short-term commercial projects that dominate the security industry but that don’t give practitioners in-depth exposure to the field. Because of these problems, Reed said, security approaches largely represent older concepts patched together, rather than fresh concepts such as new secure network architectures.

Meanwhile, said AT&T’s Bellovin, security architects continue to rely on the Orange Book (the US Department of Defense’s Trusted Computer System Evaluation Criteria), which advocates and promulgates a perimeter defense around a centralized system. However, he added, this design doesn’t work in today’s distributed-computing environment, which consists of many computers and peripherals, any of which a hacker can use to attack a system.

Inadequate federal funding and leadership

No single federal funding agency has taken or been given responsibility for computer-security research in the US, although 13 agencies, including the National Science Foundation (NSF) and the Defense Advanced Research Projects Agency, participate in some meaningful way.

“There has never been a federal refunding agency that believed it owned the problem,???said the NAE’s Wulf. “Partly because the funding has been uncertain, the [security] community has been very conservative. You don’t see bold new ideas.???/p>

The coordination, encouragement, and monitoring of significant, longterm network-security research will be difficult without unified government support, noted Network Associates’s Benzel.

“While the government has a significant amount of money it invests in security research, it’s hard to know where it’s going and how it’s being spent,???she said.

“Agencies have different ways of accounting for their expenditures,” noted George Strawn, acting assistant director of the NSF’s Computer and Information Science and Engineering Directorate.

Legal issues

Legal issues are also cramping security- related research. First, the Digital Millennium Copyright Act requires researchers to get permission from copyright holders before examining software- or hardware-system vulnerabilities, explained SEI’s Shimeall.

Moreover, similar legal restrictions can limit the extent to which researchers can share their findings with one another, which reduces the benefit of their work, noted Peter Harsha, director of government affairs with the Computing Research Association.

Shimeall said it would help security research if the government protected researchers from such potential copyright violations.


According to Stolfo, there’s one easy solution to the shortage of graduates and research in security: “The NSF should stop funding research in encryption.???This would generate more funding for and interest in other security-related areas, he explained.

Meanwhile, Shimeall said, the academic community must restructure its computer-science curricula to generate interest and research in network-security issues.

And private- and public-sector educational incentives—such as scholarships, mentoring programs, and publishing opportunities—could encourage more students to pursue advanced network-security-related degrees. The NSF and other government agencies already provide scholarships for students pursuing computer-science degrees, although not necessarily in network-security studies.

In addition, federal and corporate funding of interesting academicresearch projects might attract more students and educators to networksecurity university programs.

Also, Wulf said, the federal government needs to provide permanent, not one-time or short-term, money for network- security research so that researchers can count on funding.

However, simply throwing money at the problem will not be a cure-all. Although increased government and private-sector funding can help, experts say rigorous oversight is mandatory to avoid “junk research” or monetary awards to programs that don’t have qualified faculty or a significant research record.

Meanwhile, said the University of Illinois’s Reed, the US must support more long-term security research. “What is needed is a major new investment in a broad research portfolio that includes long-term computing research,???he explained. “Long-term explorations are the basis for major breakthroughs. Indeed, most of what we now take for granted in computing is based on seminal work conducted 20, 10, or five years ago.???/p>

Finally, Reed said, the most pressing need is for an entire redesign of systems and the infrastructure to address security issues in a systemic, practical, [nontheoretical] manner.???/p>

The shortage of graduates and research in computer security might get worse before it gets better, according to some experts.

“This is a systemic problem, and we don’t have the right people taking a systemic view,???said Spafford. “I think there is tremendously fertile ground for long-range research. I don’t know what that’s going to be, but we need to throw off the bounds of thinking [only about] next year’s product cycle.???/p>

Also, stated Benzel, “the problems are just too big to be solved by one [economic sector]. This is the time for new partnerships. There needs to be more information-sharing between government, academia, and industry. We don’t need to be territorial. We need to work together.???/p>

Currently, Wulf noted, the US Congress is considering two bills that would authorize, although not guarantee, funding for networking-related research. For this and other reasons, he said, “I’m a lot more optimistic than I was a few months ago. At least the issue is on the table for discussion now. I couldn’t [even] get it on the table before.???/p>

Linda Dailey Paulson is a freelance technology writer based in Ventura, California. Contact her at ldpaulson@ yahoo.com.

Original Article | Local Copy


More news about William A Wulf


Return To List